Carrier-grade NAT: The Killer of the "Homelab"

Posted by type0 3 days ago

2115Original

Comments

Comment by rrrix1 3 days ago

No IPv6 support? Still? That’s the real problem if so.

Comment by alextingle 3 days ago

Agree. Surely the ISP can assign customers a real IPv6 range, and also a NAT'd IPv4 address for legacy stuff?

I hardly notice if IPv4 stops working, these days.

Comment by stevefan1999 2 days ago

I would say the biggest problem of CGNAT is that it is essentially double-NAT: your home router did one layer of NAT, and the ISP also did another layer of NAT on the edge that is close to your home, not only the latency could add up (although so far it is not a problem in general), but also that another point of failure to be concerned too.

I happen to come across this having CGNAT in my parent's house, luckily they have a backup IPv6 so I can access it from remote "directly".

Comment by wkat4242 3 days ago

It's not so bad IMO. I self-host a lot but I use a mesh VPN, tailscale to get to it. It's much safer not having my stuff exposed to the whole internet, I don't need to have incoming ports open, I don't care if my IP changes etc.

Comment by hollow-moe 3 days ago

Do you get direct connections or are you stuck with the backup relays ?

Comment by marklar423 3 days ago

Can tailscale connect to hosts behind CGNAT?

Comment by eszed 3 days ago

Yes. They run public DERP servers. I'm no longer on an ISP with CGNAT, but never had an issue - marginally (like 10%?) throughput penalty, but not enough to notice with only a few users. I understand you can run your own DERP, though I never had the need, and it Just Worked.

Comment by MuffWarrior 2 days ago

I use https://getpublicip.com to deliver a public IP address to my home lab. I use them over Cloudflare tunnels and Tailscale because I run a email server at home and I dont want encryption terminating in the cloud (as is the case with Cloudflare tunnels). Its also a TCP / UDP level solution which means I can host anything I want.

Comment by vercaemert 3 days ago

You can create a tunnel from a cheap VM (or appropriately sized set of VMs) in a cloud.

It's a different, new calculus. The result is still that you have the same server power in your home, if that's what you want.

Comment by wkat4242 3 days ago

I prefer mesh vpn because it's an extra authentication layer that Cloudflare tunnels don't have. But if you need to offer services publicly it's a good option true.

Comment by vercaemert 3 days ago

Interestingly, you say this. During my AI-driven research that led me toward tunnels, I found that VPN was the less secure approach.

For SSH/Mosh, for example, I chose a WARP tunnel. I set it up with a certificate that expires immediately after each connection. My MFA was explicitly limited to password and Duo SSO Push.

As I mentioned, though, my decision was primarily based on an Agent Mode prompt to ChatGPT, so I'm far from an expert.

Comment by GauntletWizard 2 days ago

AI driven research tells you everything you need to know about your conclusions; there's a hint of truth that's hiding an incredible web of misconceptions.

Mesh VPNs as a security mechanism replacing having secure server to server communication is just replacing one soft-center security mechanism with another. Mesh VPNs as the gateway to services that are themselves well secured is well over doubly secure over just having publicly accessible services; now you need the security holes to line up.

Comment by wkat4242 2 days ago

Why would a VPN be less secure? It's an extra hurdle for attackers to take. You can still use whatever authentication you can on the service. And with a mesh VPN you also don't need to open any ports.

However when I look into it it seems like WARP is also a vpn-like service, just a cloud one. Also, I do self-hosting so a "cloud native" solution as cloudflare calls it is explicitly not what I want. If your homelab is all about cloud then of course you would want something like this.

Comment by vercaemert 2 days ago

My concern was specifically about other devices on the same home network, outside the homelab, becoming vulnerable.

I don't remember the details. Not relevant to you if you don't want to use cloud-native services.

Personally, I like proprietary security-oriented code where possible, cloud-native or not. That factored into the decision.

Comment by commandersaki 3 days ago

Yep I access my raspberry pis using rathole via vm. Easy enough.